Field of the Invention
The invention relates to methods for examining an information system to ascertain the occurrence or nature of the access performed.
Description of the Related Art
Theft of corporate proprietary information, according to the FBI and CSI, has repeatedly been the most financially harmful category of computer crime (“CSI/FBI 2003 Computer Crime and Security Survey”). Insider data theft is especially threatening and difficult to detect, since the thief often has the technical authority to access the information (Hillstrom and Hillstrom, “Gale Encyclopedia of Small Business”, Gale Group/Thomson, 2002; Yu and Chiueh, Display-only file server, Proceedings of the 4th ACM workshop on DRM, 2004). Consequently, there is a great need for methods to conduct examinations of information systems or data to be able to determine if data has been copied. More generally, there is a need for methods to conduct examinations of information systems or data to determine the existence or nature of past access.
Numerous inventions attempt to prevent copying of data or digital assets. Examples include U.S. Pat. No. 7,062,784 to Sinquin et al (2006), U.S. Pat. No. 7,340,778 to Brown (2008), U.S. Pat. No. 7,458,100 to Jascau and Lange (2008), U.S. Pat. No. 6,473,560 to Linnartz and Talstra (2002), and U.S. Pat. No. 5,761,302 to Park (1998). These inventions attempt to prevent unauthorized data copying. However, they fail to enable a post facto examiner to determine if data were copied or not.
There are many inventions which involve modifying an information system to detect subsequent copies of data. Examples include U.S. Pat. No. 6,549,638 to Davis et al (2003). Likewise, there are many inventions which involve modifying data itself to detect subsequent copies, a process generally known as watermarking. Examples include U.S. Pat. No. 7,587,601 to Levy et al (2009). These inventions only work in the case in which the required modifications were performed before the time of alleged copying under investigation. Thus, for the majority of information systems and data, which have not been specially modified to detect copying, these inventions fail to be of use.
Several methods which detect if data were copied without requiring special modifications beforehand have been invented. Liu et all present a method to do so given a network trace of the activity (in Liu et al, “SIDD: A framework for detecting sensitive data exfiltration by an insider attack”, Hawaii International Conference on System Sciences, 2009). However, this method only works when network activity has been recorded and preserved, and is available to the examiner. For the majority of examinations, this is not the case. Chow K P, Law Frank Y W, Kwan Michael Y K, Lai Pierre K Y, The Rules of time on NTFS file system, Pages 71e 85 of: SADFE '07, In: Proceedings of the second international workshop on systematic approaches to digital forensic engineering, Washington, D.C., USA: IEEE Computer Society; 2007 presents a method to detect copying given the media to which the data was copied. However, this method requires the examiner to have access to the media to which the data was copied. In the majority of examinations, the examiner does not have this.
Farmer and Venema (“Forensic Discovery”, Pearson, 2005) present a method to examine a filesystem and determine the quantity of file access occurring at a particular time. They make particular use of MAC timestamps, which are times of last access of each file, automatically recorded by many modern filesystems. Their invention has been widely adopted by practitioners of the art, and is a component of numerous other inventions in the art. Their invention is capable of detecting if file access occurred at a particular time. However, their invention is incapable of distinguishing copying data from other forms of reading it, and hence cannot be used to ascertain if data was copied. Furthermore, although it can determine that activity occurred on a particular date, it cannot determine the nature of that activity.
Furthermore, on certain filesystems, such as Microsoft Windows NTFS, data can be copied without being read by the user, causing it to be invisible to the method of Farmer and Venema. In short, to date, no method has been invented which, given an information system or filesystem, which has not been specially modified beforehand, can determine if data or files were copied from it, or can determine the nature of activity which may have occurred at a particular time. Forensics expert Harlan Carvey specifically notes that despite the large need for a method to detect copying of data without acquiring the media that the data was copied to, neither he nor anyone else has been able to do so. “ . . . the simple fact is that at this time, there are no apparent artifacts of the process . . . Artifacts of a copy operation . . . are not recorded in the Registry, or within the file system, as far as I and others have been able to determine.” (Carvey, “Windows Forensic Analysis DVD Toolkit, Second Edition, Syngress, 2009).
Thus, what is needed is a method of examining a filesystem or information system, which can determine if data was copied, or which can determine the nature of access which may have occurred, which does not require specially modifying the system or data beforehand, and does not require access to the media to which the data may have been copied to.